The bipartisan Federal Information Security Amendments Act of 2013 unanimously passed the House Oversight and Government Reform Committee by a voice vote on March 20. The measure would require federal agencies to continuously monitor their IT systems for cyberthreats and implement regular threat assessments. The legislation, if enacted, would usurp the current FISMA law that heavily relies on a check-list approach to IT security that many people in government contend doesn't truly show how secure agencies' IT systems are [see Is Gov't IT Secure? FISMA Report Can't Tell].

Each agency would be required to designate an official to be chief information security officer under provisions of the bill. An agency's chief information officer could serve simultaneously as CISO; however, the bill would require that information security be the CISO's main focus.

CISO's Responsibilities

According to the bill, the CISO's responsibilities would include:

Overseeing the establishment and maintenance of a security operation that through automated and continuous monitoring can detect, contain and mitigate incidents that impair information security and agency information systems;

Developing, maintaining and overseeing information security policies, procedures and control techniques to address all applicable requirements;

Training and overseeing personnel with significant responsibilities for information security;

Assisting senior agency officials on cybersecurity matters;

Ensuring the agency has a sufficient number of trained and security-cleared personnel to assist in complying with federal cybersecurity law and procedures;

Reporting at least annually to agency executives the effectiveness of the agency information security program; information derived from automated and continuous monitoring, including threat assessments; and progress on actions to remediate threats.

The bill would require that CISOs possess the necessary qualifications, including education, training, experience and the security clearance needed to do the job.

Creation of a Federal Information Security Incident Center

If enacted, the bill would create a federal information security incident center to provide timely technical assistance to operators of agency information systems regarding security incidents; compile and analyze information about incidents that threaten information security; inform operators of agency information systems about current and potential information security threats and vulnerabilities; and consult with the National Institute of Standards and Technology, agencies or offices operating or exercising control of national security systems regarding information security incidents and related matters.

The legislation also would give the director of the White House Office of Management and Budget the authority to oversee the development and implementation of policies, principles, standards and guidelines on information security as well as oversee the operations of a federal information security incident center.

The Obama administration has been shifting much of the responsibility of overseeing civilian agency IT security to the Department of Homeland Security. This bill does not grant any additional authorities to DHS, although it would not preclude OMB to do just that as long as the OMB director retains final authority.

Sen. Tom Carper, the Delaware Democrat who chairs the Senate Homeland Security and Governmental Affairs Committee, has promised that his panel will draft a FISMA reform measure, but it is unclear whether it would be in the form of a standalone bill or part of a more comprehensive cybersecurity legislative package.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.